Fundamentally there are two options for obtaining a site that uses HTTPS. First, you (or your web designer, web hosting company, or a consultant) can purchase a secure certificate and install it on your server. Typically this requires an annual expense to keep the certificate up-to-date.

Second, there is an option for a free HTTPS website. There is more than one way to accomplish this, but I want to point out one that is not only free, but provides additional benefits for your site, as well.

That is to use the Cloudflare platform. Cloudflare has an interesting background, worth a read. For us, it is enough to understand that it acts as sort of a buffer for your site. When a visitor comes to a site using Cloudflare, they see parts of the site served up by Cloudflare (to speed things up) and part from your site (things that might change). Cloudflare also intercepts attacks on your site, and blocks many of them. You can see all of this in your Cloudflare Dashboard.

Now it is possible to set up a free HTTPS website through Cloudflare as well.

How it works

If you just want to know how to install it, skip to the next section. Keep reading to see how it works.

In its normal setup, Cloudflare walks you through the process of changing your site’s DNS server address (DNS is the system that let’s visitors put “yoursite.com” into a browser instead of numbers like 216.58.194.110. So, when you type in “yoursite.com” the browser goes to the DNS server (they are all over the world) and asks it whose address is matched to “yoursite.com”. The answer comes back “216.58.194.110” so off it goes to that address. When Cloudflare has you make this change to your DNS settings, it puts itself (Cloudflare) between the visitor and you, so that the visitor puts in “yoursite.com” but instead of DNS sending back 216.58.194.110, Cloudflare’s DNS sends back 198.41.215.162 so the browser comes to Cloudflare, and then it does some magic — it filters out bad stuff, and serves up parts of your website that it stores at Cloudflare, and forwards the browser to your real website for the rest.

For a secure (HTTPS) site, you can see that we actually need security between the visitor and Cloudflare, and also between Cloudflare and your site. Cloudflare issues its own secure certificate for the first part, and gives you a certificate to put on your site that covers the second part.

How to Set Up HTTPS with Cloudflare

For our purposes, we’ll assume your site is hosted by a company that allows you to use CPanel to manage the site. The same thing will work with other hosting management methods, but that is beyond the scope of what we can cover here.

Create a Cloudflare account if necessary

Add your domain to your Cloudflare account

Visit your hosting company’s DNS page (in a separate tab) and verify the hosts listed in Cloudflare include all the hosts in the hosting company list

On the Crypto tab of the Cloudflare page, under Origin Certificates, make the selection to create a free TLS certificate

Find “Install an SSL Website” and select your domain from the dropdown list

Install the certificates on your host using CPanel:

On Cloudflare, highlight and copy the Origin Certificate. Include everything from —–BEGIN CERTIFICATE—– to
—–END CERTIFICATE—–

Return to the CPanel screen and paste it in the box marked Certificate: (CRT).

Go back to Cloudflare and copy the Private Key – everything from —–BEGIN PRIVATE KEY—– to
—–END CERTIFICATE—–

Return to CPanel and paste into the box which says Private Key: (KEY)

In CPanel, click Install Certificate

Return to Cloudflare and go to the top of the Crypto section:

Under SSL set the dropdown to Full (Strict) (if you get errors when accessing your site after allowing 24 hours for everything to be updated, try Full instead).

Under Always Use HTTPS click the button ON

Under Opportunistic Encryption, be sure the button is ON

Under Automatic HTTPS Rewrites click the button ON

Verify! Open a browser you rarely use (or a Private Window in Firefox, or an Incognito Window in Chrome) and access your website using https://your.site.com (with your real web address, of course!) and make sure you see the green padlock, or the word Secure, or whatever your browser uses to show that you have accessed a secure site.